JPS615350A - Computer - Google Patents

Abstract

PURPOSE:To ensure the high reliability of a computer without using any special hardware by separating a master unit when it has a fault of the synchronizing transmission and at the same time substituting one of slave units for a master unit. CONSTITUTION:A computer contains three arithmetic control units 1a-1c that perform the same processing and a majority logical circuit 2. These units 1a-1c are connected to each other by the 1st and 2nd transmission lines 3 and 4. The external sensor signals, etc. are supplied via an input line 5, and supplied to the circuit 2 via a unit output line 6 after a prescribed operation. Then the sensor signals are outputted via a control output line 7 and also fed back via a control output monitor line 8. The units 1a-1c collates these signals with own output and feed them back. When a rise indication is given to a unit, a master unit is obtained in terms of the synchronizing control. If this master unit has a fault, a slave unit substitutes for the faulty master unit. Thus the normal working is virtually secured from outside.

Description

[Detailed Description of the Invention] [Technical Field of the Invention] The present invention provides a method for providing safety information to devices controlled by a single computer when a failure occurs in a part of the functional parts constituting a single computer. A highly reliable computer that is used in a fail-safe system that guarantees proper operation, or a fault-tolerant system that ensures that the computer appears to operate normally even in the event of a failure. Regarding.

[Technical Background of the Invention and Problems Therein] Since railway safety signaling devices and the like are related to human life, fail-safe systems have been established to ensure safe operation in the event of a failure in a part of the equipment. ing. This system is constructed by using special logic elements and logic circuits to ensure fail-safe, and the scale of the device is larger than general electronic equipment compared to the logical judgment function performed by the system. have shortcomings.

In addition, the computer system that controls plant equipment, etc.
Since high reliability is required in these systems, the computers used there themselves have a dual or triple system configuration. However, while this plant control system is capable of more advanced processing than the railway safety equipment mentioned above,
It became necessary to add highly reliable special circuits to synchronize and check multiple computers, and to control these circuits,
Programs for actions to be taken when a failure is detected become complex.

Devices that require such high reliability have the disadvantage of being large in scale and requiring the use of a large number of special elements and circuits (hardware) for, for example, synchronization monitoring. Another drawback is that it lacks flexibility in response to requests for functional expansion.

[Purpose of the invention]

The present invention has been made to overcome the above-mentioned drawbacks of the prior art, and provides a highly reliable computer that eliminates special hardware for synchronizing computers and can reduce the size of the device. The purpose is to

[Summary of the invention]

In order to achieve the above object, the present invention provides the following computer. In other words, multiple arithmetic and control units are connected through a transmission line to form a single system, and each arithmetic and control unit is synchronized and monitored using information sent and received via this transmission line. It is a highly reliable computer that performs predetermined calculations on information and outputs the result to the outside.When a start-up instruction is given to any one arithmetic and control unit, the arithmetic and control unit that received this instruction serves as a parent unit (hereinafter referred to as mask unit) for synchronization control, and performs startup command notification and synchronization control etc. via the transmission line, and other arithmetic and control units that have received the startup command notification perform synchronization control. Child unit (hereinafter referred to as slave unit)
The unit operates in synchronization with the master unit. Furthermore, when a failure occurs in the master unit, one of the slave units becomes the new master unit and maintains synchronous control, ensuring that even if a failure occurs, it appears to operate normally from the outside. It provides a reliability calculator.

[Embodiments of the invention]

Hereinafter, some embodiments of the present invention will be described with reference to the accompanying drawings. In the following description of the accompanying drawings, the same elements are indicated by the same reference numerals.

FIG. 1 is a block diagram showing the basic configuration of an embodiment of the present invention. FIG. 1(a) shows a case where there are three arithmetic and control units, and FIG. 1(b) shows a case where there are two. . Figure 1 (
In a), the computer has three arithmetic control units Ia, lb, lc and a majority logic circuit 2 that perform the same processing and operation, and the arithmetic control units la, 1b, 1c
are mutually coupled by first and second transmission lines 3 and 4, respectively. Here, the first transmission line 3 transmits an alternating signal that also serves as a synchronization timing indicating that each arithmetic and control unit la, 1b, 1c is operating normally. Further, the third transmission line 4 includes each arithmetic and control unit la, 1b,
Data to be checked between LCs and information indicating their status are transmitted serially.

External sensor signals and the like are applied to the arithmetic and control units ja, 1b, and 1c via input lines 5, and after predetermined calculations are applied to the majority logic circuit 2 via unit output lines 6. The majority logic circuit 2 generates an output based on the majority logic for the input signal given, and supplies this to an external m unit (not shown) via a control output line 7, as well as a control output monitoring line. 8 to each arithmetic and control unit 1a.

Return to 1b and 1C. Each arithmetic and control unit la.

lb, IC compares this with its own output and monitors it. Note that the above situation is the same in FIG. 1(b).

FIG. 2 is a block diagram showing the internal structure of the arithmetic and control unit 1a shown in FIG. The arithmetic control unit 1a has two processors, a diagnostic processor 10 and a control processor 11'', the first transmission line 3 is connected to the diagnostic processor 10, and the second transmission line 4 is connected to the control processor 11. ing.

Control processor 11 receives input I! 5 and provides the result to the unit output relay 12 via the control processor output line 21.

A signal regarding the execution timing of this operation is given from the diagnostic processor 10 via the diagnostic processor status line 22. The details of the execution timing will be described later. Also, the control processor 11 exchanges information with the diagnostic processor 10 via the diagnostic processor status line 22 and the control processor status line 23, and mutually monitors each other. When a startup command is given from the diagnostic processor 10, the other arithmetic and control units 1b,
1c, and also performs data verification.

The unit output relay 12 has a diagnostic processor status line 22;
Control processor status line 23, fail-safe OR circuit 1
3 and the unit output relay control line 24, and when any processor that detects a device failure sends a signal to prohibit the operation of the unit output relay 12, the unit output relay 12 is fixed on the safe side. Note that information indicating the status of the unit output relay 12 is given to the control processor 11 via the unit output relay status line 25.

The main functions of the diagnostic processor 10 are, firstly, to monitor the operation of the control processor 11, and secondly, when the arithmetic and control unit 1a is equipped with an inspection device (not shown) and performs online maintenance, the diagnostic processor 10 functions as an inspection device. The third purpose is to exchange information with other arithmetic and control units 1b and 1c via the first transmission line 3 for preventive maintenance, and to process command output to the control processor 11. When a start-up command is given from the fourth start-up switch SW, the control processor 11 is notified of this and a synchronization signal is generated.

FIG. 3 is a block diagram showing the internal structure of the control processor 11 of FIG. 2. Control processor 11 is processor 1
10, local memory 111, input/output controller 11
2, 113, 114 and a transmission controller 115, which are connected to each other by an internal bus 117.

External signals are input through input line 5 and input/output controller 1.
12, and the calculation output is given to the unit output relay 12 via an input/output controller 114 and a control processor output line 21. The input/output controller 113 is for mutual monitoring with the diagnostic processor 10, and the transmission controller 115 is for mutual monitoring with the other arithmetic and control unit 1b.
, 1c.

Next, the operation of the embodiment shown in FIGS. 1 to 3 will be explained with reference to FIGS. 4 to 6. FIG. 4 is a diagram illustrating the operation of the above embodiment. It is a transition diagram.

The arithmetic and control units 1a, 1b, and Ic can all take any of the states shown in FIG. 4, and the transition between states is P(
It is indicated by j. Note that each status is as follows.

0: OFF (OFF>): Power off or unit initialization processing in progress, 1: WAIT: initialization processing completed,
When the self-diagnosis result is normal, 2: Mutual diagnosis (-DI to ○)... Mutual diagnosis and synchronization of other arithmetic and control units 1 and the first and second transmission lines 3 and 4, 3: Triple system operation ('TMR)...triple system state operating in parallel with another arithmetic control unit 1, 4:2 system operation (DMR)...parallel operation with another arithmetic control unit 1 Dual system state, 5: Inspection (TES
T)...When the control processor 1 is running a diagnostic program in response to an inspection request from an inspection device (not shown), 6: Down ('DOWN)...Self-detects a fault and becomes unable to operate online. In the above states O to 6, the control signal is output to the external device via the unit output relay 12 in states 3 and 4.
In other situations, the unit output relay 12 is fixed to the safe side.

The outline of the operation when starting up the system W (computer) is as follows. When the power is turned on to the arithmetic control unit 1, the state g
At step o, the internal functions of the own arithmetic and control unit are checked by a self-diagnosis program. If no fault is detected as a result of the self-diagnosis, the system transits to state 1 via path P, where a startup request is made. When a start-up request is made by a start-up switch SW or the like, this arithmetic and control unit 1 becomes a master unit and transits to state 2 via path P12. In state 2, the first and second transmission lines 3,
Mutual diagnosis is executed with other arithmetic and control units 1, that is, slave units, via the arithmetic and control unit 4, and synchronization is established so that all arithmetic and control units 1 perform the same processing in synchronization. When all of the arithmetic and control unit 1, the first and second transmission lines 3.4 are normal, the path P
23 to state 3.

There is a failure in one of the other arithmetic and control units 1,
If there is a failure in one of the first and second transmission lines 3 and 4, the state transitions to state 4 via path P24. Mutual diagnosis I for any other arithmetic and control unit 1
When the receiver cannot pass the C-th information and information for synchronization, or when the receiver receives information from all other arithmetic and control units 1 that there is a failure in its own arithmetic and control unit 1, the receiver Transition to state 6 via P26.

The arithmetic and control unit 1 in state 3.4 operates its own unit output relay 12 and starts outputting a control signal. In this way, the start-up operation is completed and online operation is started.

FIG. 5 is an explanatory diagram of the processing procedure of the diagnostic processor 10 and control processor 11 of the embodiment shown in FIGS. 1 to 4. The processing of the diagnostic processor 10 consists of three stages (5YN
C, ANA, and 5VC), and these are executed at regular intervals. The first stage (SYNC) performs synchronization via the first transmission line 3, and the control processor 11
This process gives the operation timing to the The second stage (ANA) is an I
This is a process of performing path analysis based on D. Further, the third stage (SVC) notifies the control processor 11 of the result of the bus analysis, and also notifies the control processor 11 of the result of the bus analysis.
This process monitors the operating status of the

The processing of the control processor 11 consists of three stages (IN, C
Δ10.0υ■), and these are diagnosed using diagnostic processor 1.
It is executed at a constant cycle according to the operation timing generated in the first stage of 0. 1st stage (IN)
is a process of inputting an external signal via the input line 5, the second stage (CAL) is arithmetic processing of the input data, and the third stage (our) is a process of controlling via the unit output line 6. Outputs the signal to the outside and connects the control output monitoring line 8
This process monitors the output value of its own arithmetic and control unit 1 via the . Hereinafter, a set of these processes will be referred to as a cycle.

The control processor 11 synchronizes the arithmetic and control unit 1 via the first transmission line 3 at the beginning of one cycle (first stage), and when synchronization is achieved, each control processor 11 simultaneously inputs an external signal. do. The input data is sent to another arithmetic and control unit 1 via the second transmission path 4, and a first data comparison is performed. When both data match, the output of the own arithmetic and control unit 1 is adopted, and when only the data from the two arithmetic and control units 1 match, the matched data is adopted. , proceed to the second stage.

In the second stage (CAL), an operation is executed based on the given data, and at the same time, a second data verification is performed as necessary.

In the third stage (OllT), the calculation result and the data provided via the second transmission path 4 are compared for the third time, and data on the majority side is sent to the majority logic circuit 2 via the unit output relay 12. send to Here, a majority vote is taken again, and the output is compared with the data output to the unit output relay 12 via the control output monitoring line 8. As a result, if the data match with each other, it is known that all functions of the own arithmetic and control unit 1 and the control output line 7 are normal, and if they do not match, it is found that there is a fault in one of them. However, since the majority logic circuit 2 takes a majority vote on the outputs of each arithmetic and control unit 1, a correct signal will be output to the external device unless a fault occurs in two places at the same time. At the end of the third stage, information on the failure detected in the series of processes from the beginning of the first stage is notified to the computer control unit 1 via the second transmission path 4.

In order to improve the ability to detect transient disturbances such as noise,
When the control processor has sufficient processing time, the following processing can be added.

■ Execute the processing of the first stage, second stage, and third stage twice, and compare the data obtained from the first and second executions.

■ Execute only the second stage calculation twice and compare the data obtained in the first and second executions.

■ At the end of the second stage, calculations are performed based on the inspection data, and the results are compared with previously stored expected values.

■ Compare the results executed one cycle or more earlier with the results executed in the current cycle, and check that the rate of change is less than or equal to a predetermined N value.

If a failure is detected through such processing, the processing for that cycle is invalidated and no output is sent to the unit output relay 13. If a failure is detected by these processes a predetermined number of times, the operation of the unit output relay 12 is stopped, and the state transitions to state 6 shown in FIG. 4.

The diagnostic processor 10 operates in the same cycle as the control processor 11, and exchanges monitoring information via the diagnostic processor status line 22 and the control processor status line 23 at the beginning of the first stage and the end of the third stage. Note that an alternating signal is passed through each of the signal lines 22 and 23, but when a fault occurs, the output of the alternating signal is stopped. This alternating signal is sent to the unit output relay 12 via the fail-safe OR circuit 13 shown in FIG. 2 to control its operation. When the alternating signal is stopped, the unit output relay 12 is fixed on the safe side.

Monitored items via control processor status line 23
” has the following two types.

■ The control processor 11 itself determines its own processor status and the status of other units.

■ Execution order of programs executed on the control processor 11.

The above-mentioned monitoring items (2) include the results of data collation performed by the control processor 11 described above, error detection by executing a self-diagnosis program, online/offline identification data of other units, and the like.

The above-mentioned monitoring item (2) includes monitoring whether the control processor 11 is executing programs in the correct order during one cycle.

The program executed by the control processor 11 has a unique number I for each task or program module.
I have 6 D. When these are executed, each I
D to diagnostic processor 10 via control processor status line 23. The diagnostic processor 10 uses F I FO ("1rst In Fi
It is appropriate to provide a buffer (rst 0ut). A table representing the order of IDs is stored in the memory inside the diagnostic processor 11, and each time an ID is sent from the control processor 11, it is compared with the contents of this table to determine whether there is any disorder in the sequence. Alternatively, it is checked whether the ID is not registered.

FIG. 6 is an explanatory diagram of synchronization between units in the embodiment shown in FIGS. 1 to 5. FIG. When an operator issues a start-up instruction to an arbitrary arithmetic and control unit (unit 1a here), the arithmetic and control unit 1a that received the start-up request becomes the master unit. Unit 1
The diagnostic processor 10 of a generates a synchronizing signal via the first transmission path 3, and the diagnostic processors 10 of the slave units 1b and 1c operate in synchronization with this signal.
In addition, the diagnostic processor 10 of each unit performs synchronous monitoring and control between other units via a synchronous bus, and the control processor 11
The control processor 11 operates by following the synchronization signal given from the diagnostic processor 10, and monitors the synchronization signal update time. Here, the synchronization is monitored by the majority logic of the first transmission line 3. Further, each unit is synchronized by mutual monitoring between the units, so that the operation timings of the application programs executed on the control processor 11 are matched. In this way, synchronous joint discharge does not make the time width of the synchronization signal variable,
Simply shift the synchronization signal update time forward or backward.

When a failure occurs in the master unit 1a, one of the downstream slave units 1b and 1c becomes a new mask unit and maintains synchronous control. That is,
This does not mean that synchronization is controlled and monitored at 1U of the system.

Here, when an IC receives or receives a synchronization signal during a specific tolerance error time TD, which specifies the synchronization timing, both its own unit and the sending unit are considered normal. When a synchronization signal is received outside the tolerance TD or when the synchronization signal is not updated, it is assumed that a fault has occurred.

The following may be considered as failure factors when the update time of the synchronization signal is incorrect or when the synchronization signal is not updated.

■Noise mixed into the synchronous bus, ■Timer failure of another unit, synchronization signal disconnection due to failure of the synchronous bus, ■V running of the diagnostic processor of another unit, ■Timer failure of the own unit, etc.

When these failures are detected multiple times in succession, 3
For heavy system operation, disconnect the faulty unit and transition to dual system.
In case of dual system operation, the unit will go down.

The setting value of timer TIMER, which represents the time of one cycle, is ■
When the synchronization signal update time is normal, Q < T
IMER≦TD →TjHER= TIMER+1 (delay)
T-TD≦TIMER<T →TIHER=TIHER-1 (speed up) TIMER=
T → TIMER=T (reset).

■When the update of the synchronization signal is invalid, T[)<TI
MER<T-TD → TIMER-TIHER (ignored).

FIG. 7 shows 12 startup operations of the embodiment shown in FIGS. 1 to 3.
Figure 1i. Start-up is performed using the following steps. Note that the three arithmetic and control units are A unit and B unit 1.
. . . unit C. For example, if a startup command is given to unit A, a command can be given to any unit i). ■~0 in FIG. 7i correspond to ■~■ in the following procedure.

(2) When the operator turns on the start-up switch SW and instructs any arithmetic and control unit 1 (referred to as the A unit) to start up, the diagnostic processor 10 in the A unit receives this instruction.

(2) The diagnostic processor 10 sends a startup command to the control processor 11 via the diagnostic processor status line 22.

(2) The control processor 11 transmits a start-up request command (start-up command) to all the arithmetic and control units 1'(B1'C units) of the unit via the second transmission line 4.

■ Control processor 1 receives the startup request command.
1 notifies its own diagnostic processor 10 of this via the control processor status line 23.

■ Receives a start-up request [The diagnostic processor 10 of the unit A becomes the parent unit for synchronization, generates a synchronization signal, and sends it to the other arithmetic and control units 1 (B, C) via the first transmission line 3. unit). When the diagnostic processors 10 of the B units and C units 1 to 1 receive the above-mentioned synchronization signal, they act as child units to perform synchronization tracking, and send a signal to confirm the synchronization tracking to the first transmission line 3.
It is sent to the parent Δ unit via .

(2) When synchronization is achieved in all the arithmetic and control units 1, a synchronization completion signal is sent to the control processor 11 via the diagnostic processor status line 22.

■ The control processor 11 that received the notification of synchronization completion,
Following the synchronization timing notified from the diagnostic processor 10, an external signal is inputted via the input line 5 as explained in FIG.
Data verification is carried out via.

The diagnostic processor 10 performs synchronization and monitoring as in step (2).

(2) When all the arithmetic and control units 1 achieve synchronization and data verification, they notify each other via the second transmission line 4 that mutual diagnosis has been completed. At the same time, control processor 11 notifies diagnostic processor 10 via control processor status line 23 that mutual diagnosis has been completed.

If step (■) is not reached within the predetermined time, a failure will occur in either the first transmission line 3, the second transmission line 4, or the arithmetic and control unit 1 (A, B, C unit). Therefore, we will investigate the faulty part.

If the two arithmetic and control units 1 can operate, the system is started up in state 4 of FIG. 4, and if this is not possible, the state shifts to state 6 of FIG.

■ When a startup request is made from the inspection device in step (2), notification of startup completion is given.

[Phase] All arithmetic and control units 1 are in state 2 in Figure 4.
The state transitions from state 3 to state 4, and performs synchronous tracking, monitoring, and data verification.

Diagnostic processor 10 sends a synchronization timing signal to control processor 11 via diagnostic processor status line 25.

Note that the startup procedure can be simplified by omitting steps (1), (2), and (3) above.

Furthermore, in the J operation shown in FIGS. 6 and 7 above, a detachable inspection device may be provided in place of the start-up switch SW, and a start-up command can be given by this.

〔Effect of the invention〕

As described above, according to the present invention, a single system is configured by connecting a plurality of arithmetic and control units through a transmission line for exchanging mutually synchronous monitoring information, and one of the arithmetic and control units is
At 13, a start-up signal is given, and the arithmetic and control unit becomes the parent unit at i' for synchronous monitoring, and other arithmetic and control units are made child units that synchronously follow the parent unit, and a failure occurs in the parent unit. In this case, the parent unit was separated from the system and one of the child units was made the parent unit, which eliminated the need for special hardware for computer synchronization and reduced the size of the equipment. A confidence calculator can be provided. Moreover, since the equipment that depends on the number of arithmetic and control units is limited to those related to the first and second transmission paths, a multicomputer that is highly flexible and easily expandable can be obtained.

[Brief explanation of the drawing]

FIG. 1 is a block diagram of the basic configuration of an embodiment of the present invention, FIG. 2 is a block diagram showing the internal structure of the arithmetic and control unit shown in FIG. 1, and FIG. 3 is the internal structure of the control processor shown in FIG. FIG. 4 is a state transition diagram explaining the operation of the embodiment shown in FIGS. 1 to 3, FIG. 5 is an explanatory diagram of the processing procedure of the arithmetic and control unit in FIG. FIG. 7 is a block diagram showing the relationship between synchronous control and monitoring, and is an explanatory diagram of the start-up operation in the embodiment of FIGS. 1 to 3. 3... first transmission line, 4... second transmission line, 5...
・Input line, 6...Unit output line, 7...Control output line, 8...Control output monitoring line, 13...Fail safe OR circuit, SW...Start switch, 21... Control processor output line, 22...Diagnostic processor status line, 23...Control processor status line, 24...Unit output relay control line, 25...Unit output relay status line. Applicant's agent Kiyoshi Inomata Figure 1 ((1) Figure 1 (b) Figure 3" 491° Figure 7

Claims (1)

[Scope of Claims] A plurality of arithmetic and control units constituting a single system; a transmission path for exchanging mutually synchronous monitoring information between the plurality of arithmetic and control units; When a start-up signal is given to one of the arithmetic and control units, the arithmetic and control unit concerned becomes the parent unit for synchronous control, and the other arithmetic and control units become child units that synchronously follow the parent unit, and a failure occurs in the parent unit. and means for separating the parent unit from the system and making one of the child units the parent unit when the parent unit is removed from the system.